Cnbc Geopolitics Fetcher
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: cnbc-geopolitics-fetcher Version: 1.0.3 The skill bundle is a specialized news scraper designed to fetch geopolitical articles from CNBC and post them to a Discord channel. The primary script, `scripts/fetch_cnbc_geopolitics.py`, uses standard libraries (requests/BeautifulSoup) to extract specific factual data and analyst forecasts for use in prediction markets like Polymarket. While the bundle contains a hardcoded Discord webhook URL in `SKILL.md` and `references/config.md` (representing a credential leak/exposure), the code logic is strictly limited to its stated purpose and shows no signs of data exfiltration, unauthorized local file access, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the skill artifacts may be able to post to the embedded Discord webhook, and a user running the default config may send article posts to an unintended channel.
A Discord webhook URL is a bearer-style credential that grants posting authority to a Discord channel; bundling it exposes that permission and may direct output to a destination the installer does not control.
## Discord Webhook https://discord.com/api/webhooks/1482043765471445333/-cHOLCq...
Remove the bundled webhook, rotate it if it is real, require each user to provide their own webhook through a credential store or environment variable, and declare the credential requirement in metadata.
Running it may violate website controls or policies, trigger blocking, or perform scraping in a way the target site is trying to prevent.
The skill explicitly advertises stealth scraping to bypass site protections, which is a materially riskier tool use than ordinary fetching even though scraping news is the stated purpose.
Uses Scrapling (stealth headless browser) to bypass anti-bot protections
Use official feeds/APIs or normal HTTP fetching where possible, document scraping limits, and avoid stealth/anti-bot bypass behavior unless the user has authorization.
Future dependency versions could behave differently from what was reviewed.
The setup installs unpinned Python dependencies; this is expected for a Python scraping skill, but exact dependency versions are not locked in the artifacts.
pip install scrapling beautifulsoup4 requests
Pin dependency versions and provide an install spec or requirements file so users can reproduce the reviewed environment.